This unique cyber study found a serious disconnect in risk management. What’s interesting is that the majority of companies cover plant, property and equipment losses, insuring an average of 59 percent and self-insuring 28 percent. Cyber is almost the opposite, as companies are insuring an average of 15 percent and self-insuring 59 percent.
The purpose of this research is to compare the relative insurance protection of certain tangible versus intangible assets. How do cyber asset values and potential losses compare to tangible asset values and potential losses from an organization’s other perils, such as fires and weather?
The probability of any particular building burning down is significantly lower than one percent (1%). However, most organizations spend much more on fire-insurance premiums than on cyber insurance despite stating in their publicly disclosed documents that a majority of the organization’s value is attributed to intangible assets. One recent concrete example is the sale of Yahoo!: Verizon recently reduced the purchase price by $350 million because of the severity of cyber incidents in 2013 and 2014.
Acceleration in the scope, scale and economic impact of technology multiplied by the concomitant data revolution, which places unprecedented amounts of information in the hands of consumers and businesses alike, and the proliferation of technology-enabled business models, force organizations to examine the benefits and consequences of emerging technologies.
This financial-statement quantification study demonstrates that organizations recognize the growing value of technology and data assets relative to historical tangible assets, yet a disconnect remains regarding cost-benefit analysis resource allocation. Particularly, a disproportionate amount is spent on tangible asset insurance protection compared to cyber asset protection based on the respective relative financial statement impact and potential expected losses.
Quantitative models are being developed that evaluate the return on investment of various cyber risk management IT security and process solutions, which can incorporate cost-benefit analysis for different levels of insurance. As such, organizations are driven toward a holistic capital expenditure discussion spanning functional teams rather than being segmented in traditional silos. The goal of these models is to identify and protect critical assets by aligning macro-level risk tolerance more consistently.
How do organizations qualify and quantify the corresponding impact of financial statement exposure? Our goal is to compare the financial statement impact of tangible property and network risk exposures. A better understanding of the relative financial statement impact will assist organizations in allocating resources and determining the appropriate amount of risk transfer (insurance) resources to allocate to the mitigation of the financial statement impact of network risk exposures.
Network risk exposures can broadly include breach of privacy and security of personally identifiable information, stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on computers, posting confidential business information on the Internet, robotic malfunctions and disrupting a country’s critical national infrastructure.
We surveyed 709 individuals in North America involved in their company’s cyber risk management as well as enterprise risk management activities. Most respondents are either in finance, treasury and accounting (34 percent of respondents) or risk management (27 percent of respondents). Other respondents are in corporate compliance/audit (13 percent of respondents) and general management (12 percent of respondents).
All respondents are familiar with the cyber risks facing their company. In the context of this research, cyber risk means any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.
Despite the greater average potential loss to information assets ($1,020 million) compared to Property, Plant & Equipment (PP&E) ($843 million), the latter has much higher insurance coverage (62 percent vs. 16 percent).
Following are some of the key takeaways from this research:
- Information assets are underinsured against theft or destruction based on the value, probable maximum loss (PML) and likelihood of an incident.
- Disclosure of a material loss of PP&E and disclosure of information assets differ. Forty-five percent of respondents say their company would disclose the loss of PP&E in its financial statements as a footnote disclosure. However, 34 percent of respondents say a material loss to information assets does not require disclosure.
- Despite the risk, companies are reluctant to purchase cyber insurance coverage. Sixty-four percent of respondents believe their company’s exposure to cyber risk will increase over the next 24 months. However, only 30 percent of respondents say their company has cyber insurance coverage.
- Fifty-six percent of companies represented in this study experienced a material or significantly disruptive security exploit or data breach one or more times during the past two years, with an average economic impact of $4.4 million.
- Eighty-nine percent of respondents believe cyber liability is one of the top 10 business risks for their company.